BSDforge™
Following, are FreeBSD ports, or other *BSD related projects, hosted, or worked on at BSDforge in the sysutils category.
fusefs-cryptofs
- fusefs-cryptofs is an Encrypted filesystem for FUSE.
What is CryptoFS?
-
CryptoFS is a encrypted filesystem for Filesystem in Userspace (FUSE) and the FreeBSD UFS, or the Linux Userland FileSystem (LUFS). Visit http://fuse.sourceforge.net/ for more information on FUSE or http://lufs.sourceforge.net/lufs/ for more information on LUFS.
CryptoFS will use a normal directory to store files encrypted. The mountpoint will contain the decrypted files. Every file stored in this mountpoint will be written encrypted (data and filename) to the directory that was mounted. If you unmount the directory the encrypted data can only be access by mounting the directory with the correct key again. Like other FUSE/LUFS filesystems it does not need root access or any complicated setup like creating a filesystem on a encrypted disk using the loop device.
CryptoFS can be build for FUSE, and LUFS. When you build for FUSE you get a program to mount the filesystem. For LUFS a shared library will be built that can be used by LUFS's lufsd. Both methods can use the same encrypted directory.
Why CryptoFS?
- I first used the evfs Linux kernel patch that does nearly the same thing as CryptoFS. But it seems that it has been abandoned. The last patch was available for the Linux kernel 2.4.20, and has not been updated for newer Linux kernels since then. When I found LUFS I thought I could be a good base for a crypto filesystem that works like evfs and allows a user to mount any directory as an encrypted storage without having root access and creating a crypto filesystem using the loop device. So when I found no other program that offers this posibilities I started to write my own filesystem for LUFS. Unfortunately LUFS seems to be dead too, so CryptoFS can now be build for FUSE too which has already made it into the FreeBSD kernel, and ports system, as well as the official Linux kernel package.
Requirements
-
You either need FUSE, or LUFS to use CryptoFS. For FUSE you need the FUSE tools, library and kernel module. You also need the FUSE development files to build the FUSE filesystem. See http://fuse.sourceforge.net/ for more information and downloads. If you don't want to build CryptoFS for FUSE you can use the --disable-fuse configure switch. Otherwise it will be build when the development files are found on the system. For LUFS you only have to install the LUFS tools and load the LUFS kernel module. See http://lufs.sourceforge.net/lufs/ on how to do this and downloads for LUFS. If you want to disable building CryptoFS for LUFS you can use the --disable-lufs configure switch. As the LUFS module has no requirements it will be build by default. Installing and setting up LUFS and FUSE will not be covered by this document.
CryptoFS uses Libgcrypt from ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/ (version >= 1.1.44) and GLib from http://www.gtk.org (version >= 2.6). You must have installed these packages correctly before running CryptoFS's "configure" script.
Optionally CryptoFS can use the PIN Entry utility by GnuPG to ask the user for the filesystem's password. If the pinentry program is found on the system, CryptoFS will be automatically built with PIN Entry support. Otherwise it will fall back to the old console input method.
Installation
- Using the FreeBSD
ports system:
cd /usr/ports/sysutils/fusefs-cryptofs make install clean
Using the FreeBSD pkg system:pkg install sysutils/fusefs-cryptofs
Usage
-
First you have to set up the source directory by copying the file cryptofs.conf to <source>/.cryptofs. Where <source> is the directory where you want to store the encryted files. You can adjust the values in the file, but the default should work fine.
For FUSE you have to run CryptoFS that should be in an executeable path after "make install". The required options are
lufsmount cryptofs://<source> <dest>
You will be asked for the password you want to use for this filesystem. It will be used to generate the cipher key.
After that you should be able to use the <dest> directory like any other directory, but all data will be read and written to the <source> directory in an encrypted form.